View Full Version : Help with ad.yieldmanager pop-ups
zschnapp
2007-01-07, 05:36
My computer always gets pop-ups from ad.yieldmanager. I've tried virus scans with several different programs, remove everything that shows up, then I still have the same pop-ups.
Can anyone help with removal of this? PLEASE!!
Thanks
-----------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 11:29:35 PM, on 1/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\program files\support.com\bin\tgcmd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\ghgpijkj.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Digital Image 2006\Pod.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Picasa2\Picasa2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\Photoshop Album Starter Edition.exe
C:\Program Files\Microsoft Digital Image 2006\Pod.exe
C:\Program Files\Microsoft Digital Image 2006\Pod.exe
C:\Program Files\Microsoft Digital Image 2006\pi.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\ComponentLauncher.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPROV.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\JEFFSC~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ZILLAbar BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\ZB2.dll
O2 - BHO: (no name) - {49239337-5590-8956-27C8-005D8D7902D8} - C:\WINDOWS\system32\wqvyrbd.dll
O2 - BHO: (no name) - {49557C49-B6A1-C3B4-2280-02FB6F76A92B} - C:\WINDOWS\system32\kxzlzui.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\ZB2.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [wqvyrbd.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\wqvyrbd.dll,yiqjdn
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Alexa bridge] C:\WINDOWS\system32\ghgpijkj.exe
O4 - HKLM\..\Run: [MRT] "C:\WINDOWS\system32\MRT.exe" /R
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: .protected
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Global Startup: .protected
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0023E6E0-84CC-7349-4430-7CFE3D7CF075} - http://85.255.115.229/1/gdnUS1440.exe
O16 - DPF: {09C55432-9B6A-53F0-B65C-7E012E616C77} - http://85.255.115.229/1/gdnUS1440.exe
O16 - DPF: {0D9942C3-120C-222C-304E-2FC765F2C20A} - http://85.255.115.229/1/gdnUS1402.exe
O16 - DPF: {18AB8E85-D3C8-6CA1-669B-2FD5348CA9EF} - http://85.255.115.229/1/gdnUS1402.exe
O16 - DPF: {1A8A41A6-4974-5266-8947-4E9E36447910} - http://85.255.115.229/1/gdnUS1402.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/HistorySwatterFWBInitialSetup1.0.0.15.cab
O16 - DPF: {2360D365-7AC4-5932-C991-7DA27E6F5C4A} - http://85.255.115.229/1/gdnUS1402.exe
O16 - DPF: {38807FEC-5D05-401D-5A72-73700BAC484B} - http://85.255.115.229/1/gdnUS1402.exe
O16 - DPF: {448EC0E6-8C1A-3E66-EC4C-62066CB83079} - http://85.255.115.229/1/gdnUS1440.exe
O16 - DPF: {496544E9-3767-44AA-F71F-4EE154B24521} - http://85.255.115.229/1/gdnUS1402.exe
O16 - DPF: {4EE7E7E2-A2DC-582F-9AFB-237C60B7BEAD} - http://85.255.115.229/1/gdnUS1402.exe
O16 - DPF: {651CFB98-97EE-1C2A-7DA4-27FA66FB2329} - http://85.255.115.229/1/gdnUS1402.exe
O16 - DPF: {6672AD1F-DA55-2828-2E4C-6B3F703E842E} - http://85.255.115.229/1/gdnUS1402.exe
O16 - DPF: {75AF088E-CA27-1149-7DC1-54011955133A} - http://85.255.115.229/1/gdnUS1440.exe
O16 - DPF: {7890D745-EFBD-0F63-1DDD-03486E25FF73} - http://85.255.115.229/1/gdnUS1440.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{4AA508C2-5E85-4F4E-A809-3E6C3B18B3FA}: NameServer = 66.73.20.40 206.141.193.55
O17 - HKLM\System\CS1\Services\Tcpip\..\{4AA508C2-5E85-4F4E-A809-3E6C3B18B3FA}: NameServer = 66.73.20.40 206.141.193.55
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
pskelley
2007-01-09, 12:37
Hello and welcome to the forum, if you still need help and are not receiving elsewhere, you do have some problems. The multiple 016 DPF's search back to Ukrainian hackers:
http://whois.domaintools.com/85.255.115.229 There is other nasty junk also. If you want help, please do this.
1) Read and follow these instructions you appear to have missed posted at the top of the page:
"BEFORE you POST" -Preliminary Steps
http://forums.spybot.info/showthread.php?t=288
2) You are running HJT.exe from a .zip file in a Temporary Directory. This is unsafe as we will have no backups. That is why you received this message when you used HJT: http://russelltexas.com/malware/images/unsafefolder.gif
Please use the information in the following link to place HJT in a permanent, safe folder, I prefer C:\HJT\HijackThis.exe. If you need additional instructions use these: http://russelltexas.com/malware/createhjtfolder.htm
Post the antivirus scan results and a new HJT log and I will respond with instructions as soon as possible after that. Use "Post Reply" stay in this same topic.
Thanks
zschnapp
2007-01-10, 03:05
Sorry, I paid no attention to the first post... I think I've done it correctly now.
Here is the log:
Logfile of HijackThis v1.99.1
Scan saved at 8:16:00 PM, on 1/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\program files\support.com\bin\tgcmd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ghgpijkj.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ZILLAbar BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\ZB2.dll
O2 - BHO: (no name) - {49239337-5590-8956-27C8-005D8D7902D8} - C:\WINDOWS\system32\wqvyrbd.dll
O2 - BHO: (no name) - {49557C49-B6A1-C3B4-2280-02FB6F76A92B} - C:\WINDOWS\system32\kxzlzui.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\ZB2.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [wqvyrbd.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\wqvyrbd.dll,yiqjdn
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Alexa bridge] C:\WINDOWS\system32\ghgpijkj.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: .protected
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Global Startup: .protected
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0023E6E0-84CC-7349-4430-7CFE3D7CF075} - http://85.255.115.229/1/gdnUS1440.exe
O16 - DPF: {09C55432-9B6A-53F0-B65C-7E012E616C77} - http://85.255.115.229/1/gdnUS1440.exe
O16 - DPF: {0D9942C3-120C-222C-304E-2FC765F2C20A} - http://85.255.115.229/1/gdnUS1402.exe
O16 - DPF: {18AB8E85-D3C8-6CA1-669B-2FD5348CA9EF} - http://85.255.115.229/1/gdnUS1402.exe
O16 - DPF: {1A8A41A6-4974-5266-8947-4E9E36447910} - http://85.255.115.229/1/gdnUS1402.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/HistorySwatterFWBInitialSetup1.0.0.15.cab
O16 - DPF: {2360D365-7AC4-5932-C991-7DA27E6F5C4A} - http://85.255.115.229/1/gdnUS1402.exe
O16 - DPF: {38807FEC-5D05-401D-5A72-73700BAC484B} - http://85.255.115.229/1/gdnUS1402.exe
O16 - DPF: {448EC0E6-8C1A-3E66-EC4C-62066CB83079} - http://85.255.115.229/1/gdnUS1440.exe
O16 - DPF: {496544E9-3767-44AA-F71F-4EE154B24521} - http://85.255.115.229/1/gdnUS1402.exe
O16 - DPF: {4EE7E7E2-A2DC-582F-9AFB-237C60B7BEAD} - http://85.255.115.229/1/gdnUS1402.exe
O16 - DPF: {651CFB98-97EE-1C2A-7DA4-27FA66FB2329} - http://85.255.115.229/1/gdnUS1402.exe
O16 - DPF: {6672AD1F-DA55-2828-2E4C-6B3F703E842E} - http://85.255.115.229/1/gdnUS1402.exe
O16 - DPF: {75AF088E-CA27-1149-7DC1-54011955133A} - http://85.255.115.229/1/gdnUS1440.exe
O16 - DPF: {7890D745-EFBD-0F63-1DDD-03486E25FF73} - http://85.255.115.229/1/gdnUS1440.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{4AA508C2-5E85-4F4E-A809-3E6C3B18B3FA}: NameServer = 66.73.20.40 206.141.193.55
O17 - HKLM\System\CS1\Services\Tcpip\..\{4AA508C2-5E85-4F4E-A809-3E6C3B18B3FA}: NameServer = 66.73.20.40 206.141.193.55
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
Here is the virus scan results (couldn't find a button for saving the log):
Scan Results: 115076 files scanned. 39 viruses were detected.
File Infection Status Path
Anima.class-36ea36bd-4cde0fd8.class Java/ByteVerify!exploit infected C:\Documents and Settings\Jeff Schnapp\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\
Anima.class-70f650c1-130faba1.class Java/ByteVerify!exploit infected C:\Documents and Settings\Jeff Schnapp\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\
Animae.class-16b0f4ee-4d047826.class Java/ByteVerify!exploit infected C:\Documents and Settings\Jeff Schnapp\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\
Animae.class-f39ce72-6cdae860.class Java/ByteVerify!exploit infected C:\Documents and Settings\Jeff Schnapp\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\
Animan.class-264f5384-72589004.class Java/ByteVerify!exploit infected C:\Documents and Settings\Jeff Schnapp\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\
omfg.class-2b6e75fc-2f3b6002.class Java/Shinwow.BD infected C:\Documents and Settings\Jeff Schnapp\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\
omfg.class-4a350b78-6e00caa2.class Java/Shinwow.BD infected C:\Documents and Settings\Jeff Schnapp\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\
omfge.class-65499117-11cee6f9.class Java/Shinwow.BD infected C:\Documents and Settings\Jeff Schnapp\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\
omfgn.class-70767f73-48168457.class Java/Shinwow.BD infected C:\Documents and Settings\Jeff Schnapp\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\
arr3.jar-53b20018-2b54afe1.zip>Gummy.class Java/ByteVerify!exploit infected C:\Documents and Settings\Jeff Schnapp\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
arr3.jar-53b20018-2b54afe1.zip>Counter.class Java/ByteVerify!exploit infected C:\Documents and Settings\Jeff Schnapp\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
arr3.jar-53b20018-2b54afe1.zip>VerifierBug.class Java/ByteVerify!exploit infected C:\Documents and Settings\Jeff Schnapp\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
arr3.jar-53b20018-2b54afe1.zip>Beyond.class Java/Shinwow.N infected C:\Documents and Settings\Jeff Schnapp\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
count.jar-3f4d4806-6a30f006.zip>BlackBox.class Java/ByteVerify!exploit infected C:\Documents and Settings\Jeff Schnapp\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
count.jar-3f4d4806-6a30f006.zip>VerifierBug.class Java/ByteVerify!exploit infected C:\Documents and Settings\Jeff Schnapp\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
count.jar-3f4d4806-6a30f006.zip>Dummy.class Java/ByteVerify!exploit infected C:\Documents and Settings\Jeff Schnapp\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
count.jar-3f4d4806-6a30f006.zip>Beyond.class Java/Shinwow.AT infected C:\Documents and Settings\Jeff Schnapp\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
nRT.jar-1d5ec957-44d922c6.zip>HiPointInstallShieldRT.class Java/Shinwow.BH infected C:\Documents and Settings\Jeff Schnapp\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
05193265.exe Win32/SillyDl.PW infected C:\Documents and Settings\Jeff Schnapp\Local Settings\Application Data\
0fe67094.exe Win32/SillyDl.PW infected C:\Documents and Settings\Jeff Schnapp\Local Settings\Application Data\
2b18bfb6.exe Win32/SilentCaller.V infected C:\Documents and Settings\Jeff Schnapp\Local Settings\Application Data\
3e3db897.exe Win32/SillyDl.PW infected C:\Documents and Settings\Jeff Schnapp\Local Settings\Application Data\
3f30fe07.exe Win32/SillyDl.PW infected C:\Documents and Settings\Jeff Schnapp\Local Settings\Application Data\
41c4faf6.exe Win32/SillyDl.PW infected C:\Documents and Settings\Jeff Schnapp\Local Settings\Application Data\
4e7c6b74.exe Win32/SillyDl.PW infected C:\Documents and Settings\Jeff Schnapp\Local Settings\Application Data\
680641d3.exe Win32/SillyDl.PW infected C:\Documents and Settings\Jeff Schnapp\Local Settings\Application Data\
7ba996f7.exe Win32/SillyDl.PW infected C:\Documents and Settings\Jeff Schnapp\Local Settings\Application Data\
8a507a96.exe Win32/SillyDl.PW infected C:\Documents and Settings\Jeff Schnapp\Local Settings\Application Data\
943d5436.exe Win32/SilentCaller.V infected C:\Documents and Settings\Jeff Schnapp\Local Settings\Application Data\
951231d6.exe Win32/SilentCaller.V infected C:\Documents and Settings\Jeff Schnapp\Local Settings\Application Data\
9577e8f6.exe Win32/SilentCaller.V infected C:\Documents and Settings\Jeff Schnapp\Local Settings\Application Data\
a483e8e2.exe Win32/SillyDl.PW infected C:\Documents and Settings\Jeff Schnapp\Local Settings\Application Data\
aba149f6.exe Win32/SillyDl.PW infected C:\Documents and Settings\Jeff Schnapp\Local Settings\Application Data\
aed4d9b7.exe Win32/SillyDl.PW infected C:\Documents and Settings\Jeff Schnapp\Local Settings\Application Data\
d1a5f097.exe Win32/SillyDl.PW infected C:\Documents and Settings\Jeff Schnapp\Local Settings\Application Data\
d36f2ca4.exe Win32/SillyDl.PW infected C:\Documents and Settings\Jeff Schnapp\Local Settings\Application Data\
f2942397.exe Win32/SillyDl.PW infected C:\Documents and Settings\Jeff Schnapp\Local Settings\Application Data\
f9cf4ce6.exe Win32/SilentCaller.V infected C:\Documents and Settings\Jeff Schnapp\Local Settings\Application Data\
ff4f8264.exe Win32/SillyDl.PW infected C:\Documents and Settings\Jeff Schnapp\Local Settings\Application Data\
Thanks a lot...If I need to do something else or again please let me know
pskelley
2007-01-10, 13:26
Thanks Jeff for returning the information, let do this:
There is a bunch of nasties here: C:\Documents and Settings\Jeff Schnapp\Local Settings\Application Data\(here) I would have thought the stuff would be in a TEMPfolder. Take a look to see what is there. You can see the weird files in the scan starting with this one: 05193265.exe Perhaps the cleaner I am going to use will remove them?
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
Are you paying for this program? One way or another, you need to turn this program off, it may block changes we must make with HJT. Having never seen the program before, I do not have the instructions. If need be you can even uninstall it and put it back if you own it.
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeFor your information, Viewpoint is installed by aol probably without your knowledge. I suggest you uninstall this resource waster in Add Remove programs.
http://www.clickz.com/news/article.php/3561546
http://www.greatis.com/appdata/u/v/viewmgr.exe.htm
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
Your Java program is out of date and a serious security breach. See this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\j2re1.4.2_03\ <<< out of date, download the newest version and uninstall all old version in Add Remove Programs.
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcyds...search/ie.html
O2 - BHO: (no name) - {49239337-5590-8956-27C8-005D8D7902D8} - C:\WINDOWS\system32\wqvyrbd.dll
O2 - BHO: (no name) - {49557C49-B6A1-C3B4-2280-02FB6F76A92B} - C:\WINDOWS\system32\kxzlzui.dll
O4 - HKLM\..\Run: [wqvyrbd.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\wqvyrbd.dll,yiqjdn
O4 - HKLM\..\Run: [Alexa bridge] C:\WINDOWS\system32\ghgpijkj.exe
O4 - Startup: .protected
O4 - Global Startup: .protected
O16 - DPF: {0023E6E0-84CC-7349-4430-7CFE3D7CF075} - http://85.255.115.229/1/gdnUS1440.exe
O16 - DPF: {09C55432-9B6A-53F0-B65C-7E012E616C77} - http://85.255.115.229/1/gdnUS1440.exe
O16 - DPF: {0D9942C3-120C-222C-304E-2FC765F2C20A} - http://85.255.115.229/1/gdnUS1402.exe
O16 - DPF: {18AB8E85-D3C8-6CA1-669B-2FD5348CA9EF} - http://85.255.115.229/1/gdnUS1402.exe
O16 - DPF: {1A8A41A6-4974-5266-8947-4E9E36447910} - http://85.255.115.229/1/gdnUS1402.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...up1.0.0.15.cab
O16 - DPF: {2360D365-7AC4-5932-C991-7DA27E6F5C4A} - http://85.255.115.229/1/gdnUS1402.exe
O16 - DPF: {38807FEC-5D05-401D-5A72-73700BAC484B} - http://85.255.115.229/1/gdnUS1402.exe
O16 - DPF: {448EC0E6-8C1A-3E66-EC4C-62066CB83079} - http://85.255.115.229/1/gdnUS1440.exe
O16 - DPF: {496544E9-3767-44AA-F71F-4EE154B24521} - http://85.255.115.229/1/gdnUS1402.exe
O16 - DPF: {4EE7E7E2-A2DC-582F-9AFB-237C60B7BEAD} - http://85.255.115.229/1/gdnUS1402.exe
O16 - DPF: {651CFB98-97EE-1C2A-7DA4-27FA66FB2329} - http://85.255.115.229/1/gdnUS1402.exe
O16 - DPF: {6672AD1F-DA55-2828-2E4C-6B3F703E842E} - http://85.255.115.229/1/gdnUS1402.exe
O16 - DPF: {75AF088E-CA27-1149-7DC1-54011955133A} - http://85.255.115.229/1/gdnUS1440.exe
O16 - DPF: {7890D745-EFBD-0F63-1DDD-03486E25FF73} - http://85.255.115.229/1/gdnUS1440.exe
Close all programs but HJT and all browser windows, then click on "Fix Checked"
4) RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\WINDOWS\system32\ghgpijkj.exe <<< delete that file
C:\WINDOWS\system32\wqvyrbd.dl <<< delete that file
5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and post a new HJT log, let me know how the computer is running.
Thanks
zschnapp
2007-01-12, 03:06
I finished everything on the list but I had trouble with the following:
I was unable to delete the following files:
O4 - Startup: .protected
O4 - Global Startup: .protected
A menu popped up telling me that they were in use and they could not be deleted.
I also had trouble with this step:
RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\WINDOWS\system32\ghgpijkj.exe <<< delete that file
A menu popped up telling me that the file was protected and could not be deleted.
I noticed when logging onto my SBC Yahoo home page the same “ad.yieldmanager” pop-up still appeared. The page says “Dell” in the upper left hand corner and it says the following:
Sorry, we couldn't find http://ad.yieldmanager.com/st%3Fad_type. Here are some related websites:
If you have any other ideas please let me know, I appreciate all of the help you have given me.
pskelley
2007-01-12, 03:37
Just please read and follow the directions, I need to see a HJT log.
Restart the computer and post a new HJT log, let me know how the computer is running.
Before you post that HJT log, boot your computer into Safe Mode and remove those items there:
I was unable to delete the following files:
O4 - Startup: .protected
O4 - Global Startup: .protected
C:\WINDOWS\system32\ghgpijkj.exe <<< delete that file
Safe Mode instructions: http://www.bleepingcomputer.com/tutorials/tutorial61.html
Reboot to Normal Mode and post the HJT log so I can see how you did.
Thanks
zschnapp
2007-01-12, 05:31
Oops!! I'm very sorry for forgetting the hijack this log..I followed the directions very carefully, then I saved the HJT logfile, but forgot to paste it into my post. I'm sorry!!
I'm away from the infected computer right now, but I will post it tomorrow some time for sure....I can't believe I forgot it!
Thanks again for all the help.
zschnapp
2007-01-13, 03:20
Okay, here is the latest HJT log.
Logfile of HijackThis v1.99.1
Scan saved at 9:16:53 PM, on 1/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\program files\support.com\bin\tgcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ZILLAbar BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\ZB2.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\ZB2.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: .protected
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Global Startup: .protected
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{4AA508C2-5E85-4F4E-A809-3E6C3B18B3FA}: NameServer = 66.73.20.40 206.141.193.55
O17 - HKLM\System\CS1\Services\Tcpip\..\{4AA508C2-5E85-4F4E-A809-3E6C3B18B3FA}: NameServer = 66.73.20.40 206.141.193.55
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
I was able to start in safe mode and successfully removed the file C:\WINDOWS\system32\ghgpijkj.exe.
However, I got the exact same message in safe mode for the following 2 issues:
O4 - Startup: .protected
O4 - Global Startup: .protected
The message says "Unable to delete the file, the file may be in use, use task manager to shutdown the program and run Hijack This again......"
So everything is done except for those two....I go into the task manager and can't find anywhere that those 2 things are running, so I'm not really sure how to remove them.
Thanks a lot!
pskelley
2007-01-13, 03:53
O4 - Startup: .protected
O4 - Global Startup: .protected
The message says "Unable to delete the file, the file may be in use, use task manager to shutdown the program and run Hijack This again......"
I am not either, let's start by trying this:
Please download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.zip) (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Here is a link to an executable if that will work better for you:
http://siri.geekstogo.com/SmitfraudFix.php
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm (http://www.beyondlogic.org/consulting/processutil/processutil.htm)
DO NOT run anything but the "Search", then post that report.
Thanks
zschnapp
2007-01-14, 03:19
Here is the latest report. Thanks!
SmitFraudFix v2.132
Scan done at 21:18:55.00, Sat 01/13/2007
Run from C:\Documents and Settings\Jeff Schnapp\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
C:\WINDOWS\.protected FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jeff Schnapp
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jeff Schnapp\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
C:\DOCUME~1\JEFFSC~1\STARTM~1\Programs\Startup\.protected FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\.protected FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\JEFFSC~1\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
pskelley
2007-01-14, 12:10
Thanks, looks like Smitfraudfix found those items, let's do this:
http://siri.geekstogo.com/SmitfraudFix.php <<< tutorial if you need it
Clean:
Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
Double-click SmitfraudFix.exe
Select 2 and hit Enter to delete infect files.
You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt
Optional:
To restore Trusted and Restricted site zone, select 3 and hit Enter.
You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.
Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
Restart the computer and you may have to run HJT to remove the items from the log. Then post the C:\rapport.txt and a HJT log. Let me know about any problems at that point.
Thanks
zschnapp
2007-01-15, 02:20
I did the last few steps you asked for. The computer seems to be running a bit better, but as soon as I went to my yahoo home page I got redirected again to "http://ad.yieldmanager.com/st%3Fad_type", again with dell in the top left corner. Thanks again for all of your help.
Here it the newest HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 8:19:03 PM, on 1/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\program files\support.com\bin\tgcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\Install\IE7-WindowsXP-x86-enu.exe
c:\0d8f6e4df9da624d8de31e9753cd\update\iesetup.exe
C:\HJT\HijackThis.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ZILLAbar BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\ZB2.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\ZB2.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{4AA508C2-5E85-4F4E-A809-3E6C3B18B3FA}: NameServer = 66.73.20.40 206.141.193.55
O17 - HKLM\System\CS1\Services\Tcpip\..\{4AA508C2-5E85-4F4E-A809-3E6C3B18B3FA}: NameServer = 66.73.20.40 206.141.193.55
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
Here is the rapport.txt
SmitFraudFix v2.132
Scan done at 20:09:14.57, Sun 01/14/2007
Run from C:\Documents and Settings\Jeff Schnapp\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\.protected Deleted
C:\DOCUME~1\JEFFSC~1\STARTM~1\Programs\Startup\.protected Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\.protected Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
zschnapp
2007-01-15, 02:24
Here is the full address that I get re-directed to every time I go to my yahoo homepage and sometimes get re-directed to for many other web sites.
http://www.google.com/hws/dell/afe?hl=en&s=http://ad.yieldmanager.com/st?ad_type=iframe&ad_size=180x150&site=68737§ion_code=9957505&cb=1168824186911193&ycg=1&pub_redirect_unencoded=1&pub_redirect=http://us.ard.yahoo.com/SIG=12jmscctq/M=570219.9957505.10706098.7169316/D=sbcedit/S=360461157:REC/_ylt=AjbpksoSMEfm1DXd08h4LFRlM3wV/Y=YAHOO/EXP=1168831386/A=4307631/R=0/*
pskelley
2007-01-15, 02:43
OK, I see this in the log, did you download IE7 and not install it yet?
C:\WINDOWS\SoftwareDistribution\Download\Install\IE7-WindowsXP-x86-enu.exe
c:\0d8f6e4df9da624d8de31e9753cd\update\iesetup.exe
Would you go here Internet Explorer > Tools > Internet Options > General Tab > Tell me what address is in the Home Page box.
We may have some Wareout infection left on the computer. That's the Ukrainians I showed you in the beginning. Please do this.
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/file...Fixwareout.exe
Save it to your Desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the Desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.
Thanks
zschnapp
2007-01-17, 01:16
I apologize for the delay...I was unable to get to the computer.
I had installed IE7 via a windows update soon after my last post, so that's taken care of now. The homepage is sbc yahoo dsl.
Here are the results of the last program:
Fixwareout
Last edited 1/14/2006
Post this report in the forums please
...
Prerun check
»»»»» HKLM run and Winlogon System values
»»»»» System restarted
...
Reg Entries that were deleted
...
Random Runs removed from HKLM
...
PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»» Searching by size/names...
»»»»»
Search five digit cs, dm kd and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
Other suspects.
»»»»» Misc files.
»»»»» Checking for older varients covered by the Rem3 tool.
»»»»» Postrun check
»»»»» HKLM run
»»»»» Winlogon System value
"system"=""
»»»»»
Here is the latest HJT log
Logfile of HijackThis v1.99.1
Scan saved at 7:12:55 PM, on 1/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\program files\support.com\bin\tgcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ZILLAbar BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\ZB2.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\ZB2.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CCS\Services\Tcpip\..\{4AA508C2-5E85-4F4E-A809-3E6C3B18B3FA}: NameServer = 66.73.20.40 206.141.193.55
O17 - HKLM\System\CS1\Services\Tcpip\..\{4AA508C2-5E85-4F4E-A809-3E6C3B18B3FA}: NameServer = 66.73.20.40 206.141.193.55
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
[B]I went to my yahoo homepage this time and there was no sign of me being transferred to ad.yieldmanager! I will do a few more tests but it looks like that has been taken care of.
Thanks for all of your help again...You have been very helpful and I appreciate it.
pskelley
2007-01-17, 02:28
Thanks for the feedback, sounds good. As far as I can see you have this:
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe which scans as a Anti-Spyware program and I see no Anti-Virus program running on the computer.
C:\Program Files\STOPzilla!\STOPzilla.exe <<< as far as I can see this program has nothing to do with Anti-Virus. You need to run a antivirus program, here are several free ones and I personally suggest AVG Anti-Virus 7.5 from Grisoft:
http://free.grisoft.com/freeweb.php
http://www.avast.com/eng/avast_4_home.html
http://www.free-av.com/
If you are depending on the SP2 firewall, my suggestion would be to turn it off and install one of these free firewalls:
http://www.jetico.com/index.htm#/jpfirewall.htm
http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp
You should remove all of the tools we download, if you even need them again you would have to download them fresh because of updates. The exception being ATF-Cleaner, you may keep it if you wish. Here is a small tutorial on it's use.
http://forums.security-central.us/showthread.php?t=1925
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
zschnapp
2007-01-17, 04:42
Thanks again for all of your help..I will do as you have said and follow-up on a better anti-virus program.
Again, thank you very much...You were extremely helpful.
Glad we could help, as the problem appears to be resolved :bigthumb: this topic has been archived.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Anyone else with similar problems please start a new topic.